Description

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.

INFO

Published Date :

2025-06-13T17:21:33.575Z

Last Modified :

2025-06-13T18:20:04.000Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49584 vulnerability.

Vendors Products
Xwiki
  • Xwiki
  • Xwiki-platform
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49584.

URL Resource
https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec cve-icon cve-icon
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv cve-icon cve-icon
https://jira.xwiki.org/browse/XWIKI-22736 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact